Hey everyone!
We've been dealing with Microsoft's new converged authentication methods policy, and for the most part, the switch-over went smoothly using the migration wizard. However, we hit a significant snag with one of our tenants that utilizes the NPS Extension with RDS integration. Everything was functioning perfectly until we ran the migration wizard, but immediately afterwards, push notifications stopped working for users on the Authenticator app. Now, our logs are filled with errors and we haven't been able to resolve the issue despite trying various troubleshooting steps.
Here's a rundown of what we've attempted so far:
- Upgraded the NPS extension to the latest version
- Reregistered it with the Entra tenant multiple times
- Restarted everything multiple times
- Toggled the **OVERRIDE_NUMBER_MATCHING_WITH_OTP** setting both ways
- Ensured the test user has an Entra P1 license
- Enabled all MFA methods in the new Auth Methods policy (except certs)
- Assigned every possible MFA method to the test user
- Created a fresh Windows Server 2022 with a clean NPS setup
- Attempted to roll back the migration status, but it wouldn't validate
- Contacted our indirect provider, but their advice was just to repeat what we've already done.
Nothing has worked to bring it back, and it feels like something changed during the migration process. The error logs are showing issues connected to internal errors with the Azure MFA response, including null values causing problems. Has anyone else faced this issue or have suggestions on what else we could try? Any help would be really appreciated!
3 Answers
Have you tried deleting the Authenticator app and then re-enrolling? Sometimes that helps reset any glitches in the connection.
Check the authentication certificates on both your app registration and the server. Sometimes issues there can lead to problems with integration like this.
We did check that, and the health check script mentioned everything was fine. What else do you think could be off?
You might want to try running the health check for the NPS extension. It could reveal if there are any underlying issues that weren't apparent before. You can find it [here](https://github.com/Azure-Samples/azure-mfa-nps-extension-health-check).
We've already run that health check, and everything passed without issues.
Honestly, that health check script seems outdated. I’ve heard it's not as reliable as Microsoft's official documentation, and there are ongoing issues with it.
Yep, we moved all methods over and re-added them one by one. Still no luck.